So I was investigating an incident where a user had signed in from a TOR exit node on an AAD Joined device. After investigating, I had found that they had a commercial VPN, and their endpoints also served as exit nodes. So they weren't actually using TOR, but their traffic was coming from an exit node. The device is part of a group with more lax controls, so this is absolutely allowed (I can't really explain more, I would love to go to town with this stuff and remove it, but that isn't my call).

So I was in a situation where I can't tune, because I need Defender device logs to see if its the VPN (too high ingestion), and I can't just allow the IPs as they are TOR exit nodes.

Which gave me the idea of having annotations on the entities in UEBA. So in this case, I could say "known to use a VPN which also acts as TOR exit nodes, check source IP" or something similar. It saves having to create a separate knowledge base and keep it up to date with data from all security products.

Would also be useful for users too. I have a user who frequently mass deletes files on a certain time on a certain day which triggers DLP rules. I could add the conditions of that behaviour as an annotation, rather than having to write a crazy analytics rule which has to check the day and time, user and Sharepoint site, plus other exclusions. 

Something like the comments thread on incidents will suffice.